The Drones Are Coming

Americans are used to reading about unmanned aircraft flying over the Middle East in search of militants. Soon those eyes will be over American skies as well. This coming spring, the Federal Aviation Administration (FAA) plans to propose rules that will enable civilians to obtain permits to fly drones over the national airspace.

Non-military drones can be very useful in a variety of ways – from dusting crops to inspecting dangerous disaster sites – but drones are also powerful surveillance tools. Before unleashing this technology, the FAA must establish basic privacy and transparency rules for domestic use of drones. The FAA should require applications for drone licenses to include a description of how the drone operator intends to handle any information the drone will collect about individuals, and the FAA should make approved drone licenses, along with the licensee’s privacy statement, publicly available.

Of course, law enforcement agencies will not be the only ones using drones. Potentially anyone from media companies to homeowners’ associations might one day obtain a permit to send a flying video camera into the air and stream the footage onto the Internet. Drones are not terribly expensive – some law enforcement models cost roughly as much as a police cruiser. The combination of effectiveness, low cost, and industry pressure is likely to spur widespread drone use in coming years.

The U.S. Supreme Court declared long ago that individuals have no “expectation of privacy” in public places, making people on city streets or open fields fair game for aerial surveillance. The Supreme Court also held that individuals on their own property have no expectation of privacy from police observation from public airspace, meaning that police do not presently need a warrant to peer into a fenced-in backyard with a drone. However, police do need a warrant to use a unique sensory device – such as a thermal imaging camera – on an individual’s home, and some state privacy laws offer weak protection against video surveillance of individuals on private property. Taken as a whole, though, American law currently affords few clearly defined privacy protections when it comes to drones.

That is why it is important that the FAA’s upcoming rules for civilian drones include fundamental privacy and transparency standards. The FAA’s current, interim guidelines for unmanned aircraft are silent on these issues. The FAA is charged with managing flight within the domestic airspace “in the public interest.” When aircraft are being used not for transport, but expressly to conduct aerial surveillance, the “public interest” should include basic privacy and transparency considerations.

When the FAA proposes new regulations in the spring, the agency should establish – at minimum – two basic requirements:

All applications for an FAA drone license should include a data collection statement defining whether the drone will collect information about individuals and, if so, the circumstances under which it will be used and how the drone operator will handle any information collected about individuals. To establish the outlines of a data collection statement, the FAA does not need to come up with its own privacy framework – it can use the one adopted by the Department of Homeland Security (DHS) in 2008, which spells out the key questions in the planning of any information collection system. Using the DHS framework, an applicant should describe 1) the purpose for which the drone will be used and the circumstances under which its use will be authorized and by whom, 2) the specific kinds information the drone will collect about individuals, 3) the anticipated uses and disclosures of that information, 4) the possible impact on individuals’ privacy, 5) the specific steps the applicant will take to mitigate the impact on individuals’ privacy, such as protections against unauthorized disclosure, 6) the individual responsible for safe and appropriate use of the drone, and 7) an individual point of contact for citizen complaints.

The FAA should make all approved licenses, with the associated privacy statement of the drone operator, available online to the public in a searchable format. This requirement may have an exception for national security, but not for law enforcement. (Transparency does not require disclosure of the names of targets or the exact times or places of deployment; rather it requires disclosure of the criteria and supervisory controls under which drones will be deployed.)

Law enforcement agencies and their contractors should be subject to extra disclosure requirements. In addition to the above items, law enforcement agencies and their contractors should also disclose 1) the officials who can authorize use of the drone, 2) the applicable data minimization policies barring the collection of information unrelated to the investigation of crime and requiring the destruction of information that is no longer relevant to the investigation of a crime, and 3) the applicable audit and oversight procedures that ensure agencies and their contractors use drones only as authorized, within the scope of the data collection statement, and in compliance with data minimization policies.

These requirements alone will not fully protect Americans’ privacy from drones. Drone surveillance – whether it is carried out by law enforcement or not – raises significant legal and constitutional issues that deserve serious discussion. However, it is highly unlikely that the FAA will thoroughly address these issues in its proposed rulemaking, nor does the FAA have adequate authority to solve them. The baseline recommendations CDT outlines above are, by comparison, less complex and controversial – essentially we are urging the FAA to require drone users to have a public privacy policy. Considering the magnitude of the privacy risks posed by drones, there is scarcely any good reason not to include such basic requirements in the FAA rulemaking.

Drones represent just one of many emerging technologies that pose critical challenges to privacy and for which current U.S. law provides inadequate protection. One area ripe for reform is the Electronic Communications Privacy Act (ECPA), which sets standards for government surveillance of digital communications. CDT has organized a coalition – called Digital Due Process – that is urging Congress to update ECPA by clarifying and strengthening standards for government tracking of cell phones, as well as government access to email and private documents stored in the cloud. Unless Congress and the courts update the law, Americans will find themselves with virtually no privacy protection in any practical sense.

In the meantime, the FAA should do what it can with its rulemaking this spring. Without going so far as to say what legal standard should apply to the use of drones, and without awaiting legislative or judicial action, the FAA can establish a basic framework for domestic use of drones, providing some transparency into the practices of those proposing to put eyes in the sky over our homes.